Kaseya Cyberattack Has Encrypted About 1,500 Client IT Systems
A cyberattack onKaseya Virtual System Administrator (VSA) has also impacted IT management companies and their clients. Kaseya VSA product was hit by an REvil ransomware attack on Friday, July 2. The supply-chain attack has also impacted Kaseya’s customers that use VSA for patch management and system monitoring.
“Kaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack. Due to our teams’ fast response, we believe that this has been localized to a very small number of on-premises customers only,’ says the company’s public statement.
REvil ransomware, also known as Sodinokibi or Sodin ransomware is the same ransomware involved in the well-known ransomware attack on Colonial Pipeline in March. It was also used to attack Brown-Forman Corp the producer of Jack Daniels Whiskey.
Kaseya VSA is a Remote Monitoring and Management (RMM) software. The company’s clients are managed service providers (MSP) that in turn manage IT systems for their own customers.
REvil cybercriminals successfully exploited a zero-day flaw as well as other vulnerabilities in to compromised Kaseya’s remote monitoring system, VSA.
Kaseya confirms that 60 of its customers that are using the VSA on-premises product were also compromised by this attack. However, those customers have clients of their own, bringing the total number of impacted companies to about 1,500.
REVil claims that over one million IT systems have been impacted. REvil operates as a ransomware-as-a-service model meaning attackers can use the malware and pay a percentage of the ransomware.
The attackers struck on the eve of a major holiday in the United States. This is a common tactic for cybercriminals to maximize impact and demand massive ransoms. Weekends and holidays are often a period where IT staff is at its lowest.
Kaseya VSA is an IT management software vendor that provides remote monitoring and management services to its clients. Part of its services includes automated patch management.
Kaseya says it has 36,000 customers. Its SaaS customers were not compromised.
The company has released a ransomware detection tool that can be downloaded here.
The statement from Kaseya warns all customers to be vigilant a future email phishing attacks. Cybercriminals often phish customers using fake warnings and situation updates in attempts to trick employees into clicking on harmful links or visit malicious websites.
These spoofed links or websites are crafted to look like legitimate corporate communications. However, they contain harmful computer coding that can launch more malware attacks or steal login credentials.
Kaseya Ransomware Attack – What to Do?
CISA and the FBI have issued guidance on how to protect networks from the Revil attacks.
- Enable and enforce multi-factor authentication (MFA) on every account
- Get up-to-date backups
- Store backups in a location that is not connected to network (air gap)
- Use the Principal of Principle of least privilege
Read the full guidance here